eclipse-sw360 · nikkuma7 · Apr 13, 2024
@@ -40,6 +40,7 @@
 import org.eclipse.sw360.datahandler.thrift.components.Release;
 import org.eclipse.sw360.datahandler.thrift.components.ReleaseLink;
 import org.eclipse.sw360.datahandler.thrift.projects.Project;
+import org.eclipse.sw360.datahandler.thrift.users.RequestedAction;
 import org.eclipse.sw360.datahandler.thrift.users.User;
 import org.eclipse.sw360.datahandler.thrift.vendors.Vendor;
 import org.eclipse.sw360.datahandler.thrift.vulnerabilities.VulnerabilityDTO;
@@ -96,6 +97,7 @@
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
+import static org.eclipse.sw360.datahandler.permissions.PermissionUtils.makePermission;
 import static org.springframework.hateoas.server.mvc.WebMvcLinkBuilder.linkTo;
 
 @BasePathAwareController
@@ -109,6 +111,8 @@ public class ComponentController implements RepresentationModelProcessor<Reposit
     private static final Logger log = LogManager.getLogger(ComponentController.class);
     private static final ImmutableMap<String, String> RESPONSE_BODY_FOR_MODERATION_REQUEST = ImmutableMap.<String, String>builder()
             .put("message", "Moderation request is created").build();
+    private static final ImmutableMap<String, String> RESPONSE_BODY_FOR_MODERATION_REQUEST_WITH_COMMIT = ImmutableMap.<String, String>builder()
+            .put("message", "Unauthorized user or empty commit message passed.").build();
 
     @NonNull
     private final Sw360ComponentService componentService;
@@ -346,25 +350,31 @@ public ResponseEntity<EntityModel<Component>> patchComponent(
             @Parameter(description = "The id of the component to be updated.")
             @PathVariable("id") String id,
             @Parameter(description = "The component with updated fields.")
-            @RequestBody ComponentDTO updateComponentDto
+            @RequestBody ComponentDTO updateComponentDto,
+            @RequestParam(value = "comment", required = false) String comment
     ) throws TException {
         User user = restControllerHelper.getSw360UserFromAuthentication();
         Component sw360Component = componentService.getComponentForUserById(id, user);
         sw360Component = this.restControllerHelper.updateComponent(sw360Component, updateComponentDto);
+        user.setCommentMadeDuringModerationRequest(comment);
         Set<AttachmentDTO> attachmentDTOS = updateComponentDto.getAttachmentDTOs();
         if (!CommonUtils.isNullOrEmptyCollection(attachmentDTOS)) {
             Set<Attachment> attachments = new HashSet<>();
-            for (AttachmentDTO attachmentDTO: attachmentDTOS) {
+            for (AttachmentDTO attachmentDTO : attachmentDTOS) {
                 attachments.add(restControllerHelper.convertToAttachment(attachmentDTO, user));
             }
             sw360Component.setAttachments(attachments);
         }
-        RequestStatus updateComponentStatus = componentService.updateComponent(sw360Component, user);
-        HalResource<Component> userHalResource = createHalComponent(sw360Component, user);
-        if (updateComponentStatus == RequestStatus.SENT_TO_MODERATOR) {
-            return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST, HttpStatus.ACCEPTED);
+        if (!restControllerHelper.isWriteActionAllowed(sw360Component, user) && comment == null) {
+            return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST_WITH_COMMIT, HttpStatus.FORBIDDEN);
+        } else {
+            RequestStatus updateComponentStatus = componentService.updateComponent(sw360Component, user);
+            HalResource<Component> userHalResource = createHalComponent(sw360Component, user);
+            if (updateComponentStatus == RequestStatus.SENT_TO_MODERATOR) {
+                return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST, HttpStatus.ACCEPTED);
+            }
+            return new ResponseEntity<>(userHalResource, HttpStatus.OK);
         }
-        return new ResponseEntity<>(userHalResource, HttpStatus.OK);
     }
 
     @PreAuthorize("hasAuthority('WRITE')")
@@ -484,18 +494,26 @@ public ResponseEntity<EntityModel<Attachment>> patchComponentAttachmentInfo(
             @Parameter(description = "The id of the attachment.")
             @PathVariable("attachmentId") String attachmentId,
             @Parameter(description = "The attachment info to be updated.")
-            @RequestBody Attachment attachmentData
+            @RequestBody Attachment attachmentData,
+            @RequestParam(value = "comment", required = false) String comment
+
     ) throws TException {
         final User sw360User = restControllerHelper.getSw360UserFromAuthentication();
         final Component sw360Component = componentService.getComponentForUserById(id, sw360User);
         Set<Attachment> attachments = sw360Component.getAttachments();
-        Attachment updatedAttachment = attachmentService.updateAttachment(attachments, attachmentData, attachmentId, sw360User);
+        sw360User.setCommentMadeDuringModerationRequest(comment);
+        Attachment updatedAttachment = attachmentService.updateAttachment(attachments, attachmentData, attachmentId,
+                sw360User);
         RequestStatus updateComponentStatus = componentService.updateComponent(sw360Component, sw360User);
-        if (updateComponentStatus == RequestStatus.SENT_TO_MODERATOR) {
-            return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST, HttpStatus.ACCEPTED);
+        if (!restControllerHelper.isWriteActionAllowed(sw360Component, sw360User) && comment == null) {
+            return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST_WITH_COMMIT, HttpStatus.FORBIDDEN);
+        } else {
+            if (updateComponentStatus == RequestStatus.SENT_TO_MODERATOR) {
+                return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST, HttpStatus.ACCEPTED);
+            }
+            EntityModel<Attachment> attachmentResource = EntityModel.of(updatedAttachment);
+            return new ResponseEntity<>(attachmentResource, HttpStatus.OK);
         }
-        EntityModel<Attachment> attachmentResource = EntityModel.of(updatedAttachment);
-        return new ResponseEntity<>(attachmentResource, HttpStatus.OK);
     }
 
     @Operation(
@@ -531,10 +549,15 @@ public ResponseEntity<HalResource> addAttachmentToComponent(
             @Parameter(description = "The file to be uploaded.")
             @RequestPart("file") MultipartFile file,
             @Parameter(description = "The attachment info to be created.")
-            @RequestPart("attachment") Attachment newAttachment
+            @RequestPart("attachment") Attachment newAttachment,
+            @RequestParam(value = "comment", required = false) String comment
     ) throws TException {
         final User sw360User = restControllerHelper.getSw360UserFromAuthentication();
         final Component component = componentService.getComponentForUserById(componentId, sw360User);
+        sw360User.setCommentMadeDuringModerationRequest(comment);
+        if (!restControllerHelper.isWriteActionAllowed(component, sw360User) && comment == null) {
+            return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST_WITH_COMMIT, HttpStatus.ACCEPTED);
+        }
         Attachment attachment = null;
         try {
             attachment = attachmentService.uploadAttachment(file, newAttachment, sw360User);
@@ -609,10 +632,13 @@ public void downloadAttachmentBundleFromComponent(
     @DeleteMapping(COMPONENTS_URL + "/{componentId}/attachments/{attachmentIds}")
     public ResponseEntity<HalResource<Component>> deleteAttachmentsFromComponent(
             @PathVariable("componentId") String componentId,
-            @PathVariable("attachmentIds") List<String> attachmentIds) throws TException {
+            @PathVariable("attachmentIds") List<String> attachmentIds, @RequestParam(value = "comment", required = false) String comment) throws TException {
         User user = restControllerHelper.getSw360UserFromAuthentication();
         Component component = componentService.getComponentForUserById(componentId, user);
-
+        user.setCommentMadeDuringModerationRequest(comment);
+        if (!restControllerHelper.isWriteActionAllowed(component, user) && comment == null) {
+            return new ResponseEntity(RESPONSE_BODY_FOR_MODERATION_REQUEST_WITH_COMMIT, HttpStatus.FORBIDDEN);
+        }
         Set<Attachment> attachmentsToDelete = attachmentService.filterAttachmentsToRemove(Source.componentId(componentId),
                 component.getAttachments(), attachmentIds);
         if (attachmentsToDelete.isEmpty()) {

@@ -51,6 +51,7 @@
 import org.eclipse.sw360.datahandler.thrift.projects.Project;
 import org.eclipse.sw360.datahandler.thrift.projects.ProjectService;
 import org.eclipse.sw360.datahandler.thrift.projects.ProjectDTO;
+import org.eclipse.sw360.datahandler.thrift.users.RequestedAction;
 import org.eclipse.sw360.datahandler.thrift.users.User;
 import org.eclipse.sw360.datahandler.thrift.vendors.Vendor;
 import org.eclipse.sw360.datahandler.thrift.vulnerabilities.*;
@@ -115,6 +116,7 @@
 import java.util.stream.Collectors;
 
 import static org.eclipse.sw360.datahandler.common.CommonUtils.isNullEmptyOrWhitespace;
+import static org.eclipse.sw360.datahandler.permissions.PermissionUtils.makePermission;
 import static org.springframework.hateoas.server.mvc.WebMvcLinkBuilder.linkTo;
 
 @Service
@@ -1655,4 +1657,8 @@ public ClearingRequest updateCRSize(ClearingRequest clearingRequest, Project pro
         }
         return clearingRequestService.getClearingRequestById(clearingRequest.getId(), sw360User);
     }
+
+    public boolean isWriteActionAllowed(Object object, User user) {
+        return makePermission(object, user).isActionAllowed(RequestedAction.WRITE);
+    }
 }